Behavior-based threat detection software draws inferences between observed program actions and the maliciousness of the program performing the actions. In some cases, individual actions may not be inherently malicious, and the operating system may allow these actions to be performed in order to be useful in accomplishing legitimate and desirable tasks. Behavior-based threat detection software may therefore make a decision about whether a particular action is likely to be malicious, based on the context of the action.
In some cases, a user may make a decision about whether a particular action should be allowed to execute in the processing system. While placing the burden on the user in this way may remove the responsibility from a security application to determine whether an action is malicious, there are significant downsides to this approach. For example, the process of the user providing a decision as to whether a suspect action can be performed is time consuming and may be considered to be a negative experience by the user. Additionally, users are prone to “dialog fatigue” in that users may become trained to click the simplest button rather than make an educated analysis. Moreover, even when a user attempts to perform an analysis, the user may not be trained in differentiating between an action associated with a threat and an action associated with a legitimate application. As a result, the user's analysis may be considered inaccurate.
In other cases, a white or black list may be generated to determine actions which are considered malicious. The generation of a white or black list may involve the off-line processing of potential threats. The analysis may be performed by human analysts, and the results may be fed back to client machines in the form of pre-approved applications. Threats such as malware, however, can be rapidly modified by the author of the malware. These modifications may hinder the effectiveness of generating a white or black list to determine which actions are considered to be malicious.
Other cases may include restricting events being detected to those events that are malicious. Alternatively, the severity of actions caused by events may be graded in order to help guide the user to a decision. This option, however, is of limited use because many actions performed within the processing system may not be alone inherently malicious. As a result, the context which the action is to be performed within may not be considered.
There is a need, therefore, for a method, system, computer program product, software application, article and/or computer readable medium of instructions for generating a threat classifier to determine a malicious process.